My experiences as an IT professional - Anything that I write here is my personal opinion and should not be officially associated with any other entity

Tuesday, February 26, 2013

To run scheduled scans or not

Is it still necessary to do weekly scheduled antimalware scans these days in addition to real-time scans?

It just seems like more and more that antimalware software is used to meet compliance obligations and not as a real security layer. I say this because as we see in breach after breach reported in the news that antimalware software effectively offers little in the way of real protection against modern malware threats these days.

Some people might say that you leave an enterprise appreciably open to infection by not running scheduled scans along with real-time scans, but is this true? By some reports, antimalware software can only detect about 60-70% of all known infectuous software, regardless of scan type.

So the question is, if something is only 60-70% effective today against malware, how is performing a scheduled scan going to help you? Once a box is infected despite real-time scanning protections, the malware is very likely to hide itself from the antimalware or disable the antimalware software altogether.

In my mind, it just seems like best practice is to use either real-time scanning or scheduled scans, but not both. Use real-time scanning on systems where performance isn't a critical issue and use scheduled scans on systems that require every bit of computing power.

Comments

To run scheduled scans or not

Is it still necessary to do weekly scheduled antimalware scans these days in addition to real-time scans?

It just seems like more and more that antimalware software is used to meet compliance obligations and not as a real security layer. I say this because as we see in breach after breach reported in the news that antimalware software effectively offers little in the way of real protection against modern malware threats these days.

Some people might say that you leave an enterprise appreciably open to infection by not running scheduled scans along with real-time scans, but is this true? By some reports, antimalware software can only detect about 60-70% of all known infectuous software, regardless of scan type.

So the question is, if something is only 60-70% effective today against malware, how is performing a scheduled scan going to help you? Once a box is infected despite real-time scanning protections, the malware is very likely to hide itself from the antimalware or disable the antimalware software altogether.

In my mind, it just seems like best practice is to use either real-time scanning or scheduled scans, but not both. Use real-time scanning on systems where performance isn't a critical issue and use scheduled scans on systems that require every bit of computing power.